Uploaded image for project: 'translate5'
  1. translate5
  2. TRANSLATE-5123

Limit password reset functionality to be used in a specific time intercal (finding N1.2)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • None
    • None
    • User Management
    • Medium
    • There was no restriction when using the password functionality leading to a probable flooding of a users mailbox.

      problem

      The password reset endpoint has no restriction how often it can be used per user, so the mailbox of the user can be flooded. 

      solution

      • Restrict the usage per user, seams to be easy over the passwdresethash table, BUT:
      • In order to prevent username guessing we can not use the passwdresethash table as it is, since it is using existing users. 
      • Conclusion: The limiting of passwdreset URL calls must be done on the base of the given username - regardless if it exists or not. So for a specifc username the passwdreset should be only possible 3 times per hour.
      • Also the cron should remove the the entries in the passwdresethash table older as 30 minutes

            tlauria Thomas Lauria
            tlauria Thomas Lauria
            Thomas Lauria
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: